2/02/2010 @ 8:33PM

Oracle Hacker Gets The Last Word

In 2001 Larry Ellison brashly proclaimed in a keynote speech at the computing conference Comdex that his database software was “unbreakable.” David Litchfield has devoted the last nine years to making the Oracle chief executive regret that marketing stunt.

At the Black Hat security conference Tuesday afternoon, Litchfield unveiled a new bug in Oracle’s 11G database software, a critical, unpatched vulnerability that would allow a hacker to take control of an Oracle database and access or modify information at any security level. “Anything that God can do on that database, you can do,” Litchfield told Forbes in an interview following his talk.

The attack that Litchfield laid out for Black Hat’s audience of hackers and cybersecurity researchers exploits a combination of flaws in Oracle’s software. Two sections of code within the company’s database application–one that allows data to be moved between servers and another that allows management of Oracle’s implementation of java–are left open to any user, rather than only to privileged administrators. Those vulnerable subroutines each have their own simple flaws that allow the user to gain complete access to the database’s contents.

Litchfield says he warned Oracle about the flaws in November, but they haven’t been patched. Oracle didn’t immediately respond to a request for comment.

The bug is far from the first that 34-year-old Litchfield has outed on Oracle’s behalf. As a cybersecurity researcher and penetration tester, Litchfield has exposed more than a thousand database software security flaws, mostly in Oracle’s code.

But this one has a special distinction: It may be Litchfield’s last. After a distinguished career of tormenting Oracle’s security team, as well as making himself a nuisance to other firms like
IBM
,
Sybase
and
Microsoft
, Litchfield plans to retire from NGSSoftware, the firm he helped found in 2001.

In his talk, the Scottish hacker looked back at his nine years of “bashing heads” with Oracle and assessed whether the database giant’s security practices have improved over the last decade. His verdict: Yes, but not nearly enough.

In the last 27 months, 43 software flaws have been publicly exposed in Oracle’s 11G database software. That’s 35% fewer bugs than were found in the previous version of Oracle’s software during its first 27 months of public use, a sign, Litchfield says, that Oracle is taking security seriously.

But he also argued that his latest bug find was one that would be obvious to any competent software developer, even while it would be difficult to track down after the fact with security audit tools. In other words, he says the flaw shows that Oracle is still treating security as an afterthought rather than a part of the development process. “They’re using their security tools like goalkeepers,” Litchfield said in his talk. “They think ‘We can develop like we normally do because our security tools will save us.’ And they won’t.”

Litchfield had only recently founded NGSSoftware in 2001 when Ellison made his notorious claim of Oracle’s cyber invincibility. The young hacker set about proving him wrong, and found 35 flaws in the company’s software within 24 hours. “You just had to look at Oracle 9 and it would fall over,” he says of the company’s software of the time.

Oracle’s war of words with Litchfield began after he started publicizing the bugs he found–always, he says, after giving Oracle a fair chance to patch them. After revealing a bug in Oracle’s software in 2004, the company’s chief security officer Mary Ann Davidson wrote an opinion piece for ZDNet accusing security researchers like Litchfield of endangering Oracle customers. Litchfield responded by accusing her of negligence and calling for her resignation.

Meanwhile, Litchfield rose to cybersecurity stardom and penned books like Oracle Forensics, The Oracle Hacker’s Handbook and The Database Hacker’s Handbook. As he spoke with ForbesTuesday, a fellow security auditor approached to shake his hand and thank him for his research. The auditor talked about a case in which he’d used one of Litchfield’s exploits to demonstrate the vulnerability of a Louisiana Department of Health and Hospitals database. “I stopped counting the social security numbers after the first few hundred thousand,” said Litchfield’s admirer, who asked not to be named.

Even when Oracle did respond to the bugs Litchfield exposed, he says the company’s fixes were often appallingly sloppy. “They’d patch one thing and miss a bug two lines below in the code,” he says. “Sometimes it would take five years and five patches just to deal with one issue.”

Today, Litchfield says, the situation has vastly improved, as evidenced by the lower rate of bugs in Oracle 11G. He grudgingly gives the company a B plus for its efforts. “As much as it pains me to say it, well done, Oracle,” he told the Black Hat audience.

Having sold NGS to the British firm NCC in 2008, Litchfield says he’s ready to take a long vacation before exploring business opportunities in post data-breach forensics.

“I’m tired,” he says. “I’m going to take a few months off and spend some time diving before I come back.”

Given the last decade of security spats and the new bug on his hands, Larry Ellison could probably use a vacation, too.